Douglas J. Partch, Jr. – Lead Nerd Protecting SQL Code Through DB2 LUW Obfuscation

“Is it possible to protect SQL Code in a database?” 2 Frequent question asked by manufactures of software applications containing databases. For DB2 the simple answers was always, “NO”, up until release of DB2 LUW 9.7 Fix Pack 2 IBM added support for Oracle’s DBMS_DDL.WRAP Function DBMS_DDL.CREATE_WRAPPED Stored Procedure,

What can be protected 3 DB2 LUW supports the following objects. ObjectPL/SQLSQL PL Create ProcedureYes Create FunctionYes Create PackageYesNo Create Package BodyYesNo Create TriggersYes Create ViewYes Alter Module Add FunctionYes Alter Module Publish FunctionYes Alter Module Add ProcedureYes Alter Module Publish ProcedureYes

How do we do it. 4 Step 1. Enable Oracle Compatibility if DB2 version lower than 10.5 First the requirement: The database must be enabled for Oracle compatibility, even if this is the only feature you want to use. First the requirement: The database must be enabled for Oracle compatibility, even if this is the only feature you want to use. 1. db2set DB2_COMPATIBILITY_VECTOR=ORA 2. db2stop 3. db2start 4. db2set DB2_COMPATIBILITY_VECTOR 5. create db PROTECT 6. connect to PROTECT Can not be added to an existing database

Build Initial object 5 Step 2. Create Database object to be protected CREATE OR REPLACE xray.SQUARE_SP CREATE OR REPLACE PROCEDURE xray.SQUARE_SP (IN var_IN SMALLINT, OUT var_OUT INTEGER) (IN var_IN SMALLINT, OUT var_OUT INTEGER) LANGUAGE SQL LANGUAGE SQL READS SQL DATA READS SQL DATA NOT DETERMINISTIC NOT DETERMINISTIC SPECIFIC TEST_SP SPECIFIC TEST_SP P1: BEGIN P1: BEGIN -- Square the input variable -- Square the input variable SET var_OUT = var_IN * var_IN; SET var_OUT = var_IN * var_IN;

Encrypt Object (Method 1) 6 Step 3a. Encrypted object using SELECT SELECT DBMS_DDL.WRAP(TEXT) FROM SYSCAT.ROUTINES FROM SYSCAT.ROUTINES WHERE ROUTINESCHEMA = 'XRAY' WHERE ROUTINESCHEMA = 'XRAY' AND ROUTINENAME = ' SQUARE_SP ' AND ROUTINENAME = ' SQUARE_SP ' --output-- string type of CLOB(2M) CREATE OR REPLACE PROCEDURE xray.SQUARE_SP ( IN var_IN SMALLINT, OUT var_OUT INTEGER ) ( IN var_IN SMALLINT, OUT var_OUT INTEGER ) WRAPPED SQL10054 ablGWmdiWmtuTmduTmJGTmtmUmZKUmJeUmdCWmdaWidaWmdaWmdaXnJf orcaGicaGFhf_D5GCMrs4t8HyTuxOEoCaQtY0ipPT_ac_lcdzK1ya_D0 zvnMzxacCYXfj0OjchzVbt93WJGUnTC1cY:YoyP_53tBa6O07YSQTA:H gLp29aD2ZSaV9K5aR0l6WEkhl0qRe67fq5DlypPwNRb7JXT53GQsYeO_ UKJkVJRV912dnNku:GSNXh7:PH37nTS4W7zZUrNDyH8y5y4RmguppGL1 dZ4ia WRAPPED SQL10054 ablGWmdiWmtuTmduTmJGTmtmUmZKUmJeUmdCWmdaWidaWmdaWmdaXnJf orcaGicaGFhf_D5GCMrs4t8HyTuxOEoCaQtY0ipPT_ac_lcdzK1ya_D0 zvnMzxacCYXfj0OjchzVbt93WJGUnTC1cY:YoyP_53tBa6O07YSQTA:H gLp29aD2ZSaV9K5aR0l6WEkhl0qRe67fq5DlypPwNRb7JXT53GQsYeO_ UKJkVJRV912dnNku:GSNXh7:PH37nTS4W7zZUrNDyH8y5y4RmguppGL1 dZ4ia Make sure you save a copy of the Original SQL code first

Encrypt Object (Method 2) 7 Step 3b. Encrypt all database objects using DB2LOOK. db2look –d PROTECT –e -wrap DDL Statements for Stored Procedures SET NLS_STRING_UNITS = 'SYSTEM'; SET CURRENT SCHEMA = "PARD04 "; SET CURRENT PATH = "SYSIBM","SYSFUN","SYSPROC","SYSIBMADM","PARD04"; CREATE PROCEDURE xray.SQUARE_SP (IN var_IN SMALLINT, OUT var_OUT INTEGER) WRAPPED SQL10054 ablGWmdiWmtuTmduTmJGTmtqUmdiUmtaUmJy2mdaXidaWmdaWmdaXntDqmsaGicaG6Cx52seVPY9 FpzJavr24KHbC:mfGh1SAawXPorMsrLd3rjWvSWhiuofmGr5qp6QVtnyQpogB38C3zAeQfZhKEun UTYMsNs7YJPW6WVBC4Zi:mms:hX3PN0XSNp58e3KuuDLL9oPeia_mKf9Y5Fe9hOd7ht5bTPZ3vLU Qwae5q0Lgx5Pvmd7OcNLWYccYdvkKTrbYF8WuJQ_uk7:GPsU:4aaa; COMMIT WORK;

Encrypt Object (Method 3) 8 Step 3c. Encrypted object using SP CALL and create it in one step. CALL DBMS_DDL.CREATE_WRAPPED (DBMS_DDL.WRAP('CREATE OR REPLACE PROCEDURE xray.SQUARE_SP (IN var_IN SMALLINT, OUT var_OUT INTEGER) LANGUAGE SQL READS SQL DATA NOT DETERMINISTIC SPECIFIC SQUARE_SP P1: BEGIN SET var_OUT = var_IN * var_IN; END P1' )) --output-- DB20000I The SQL command completed successfully. CALL DBMS_DDL.CREATE_WRAPPED(DBMS_DDL.WRAP('CREATE OR REPLACE PROCEDURE xray.SQUARE_SP ( IN var_IN SMALLINT, OUT var_OUT INTEGER) LANGUAGE SQL READS SQL DATA NOT DETERMINISTIC SPECIF IC SQUARE_SP P1: BEGIN SET var_OUT = var_IN * var_IN; END' )) Return Status = 0

How do we do it. 9 Decoding Wrapped WRAPPED pppvvrrm ppp identifies the product as DB2 LUW using the letters SQL vv is a two-digit version identifier, such as ‘10' rr is a two-digit release identifier, such as '05' m is a one-character modification level identifier, such as ‘4'. WRAPPED SQL WRAPPED SQL ablGWmdiWmtuTmduTmJGTmtqUmdiUmtaUmJy2mdaXidaWmdaWmdaXntDqmsaGicaG6Cx52s eVPY9FpzJavr24KHbC:mfGh1SAawXPorMsrLd3rjWvSWhiuofmGr5qp6QVtnyQpogB38C3z AeQfZhKEunUTYMsNs7YJPW6WVBC4Zi:mms:hX3PN0XSNp58e3KuuDLL9oPeia_mKf9Y5Fe9 hOd7ht5bTPZ3vLUQwae5q0Lgx5Pvmd7OcNLWYccYdvkKTrbYF8WuJQ_uk7:GPsU:4aaa; Any time wrap is called it will create unique encrypted data

How do we do it. 10 Step 4. Place the Encrypted object in the database. Execute Code create from Step 3a or 3b (). Execute Code create from Step 3a or 3b (3c has already created the object). CREATE OR REPLACE PROCEDURE xray.SQUARE_SP ( IN var_IN SMALLINT, OUT var_OUT INTEGER ) WRAPPED SQL09075 ablGWmdiWmtiTmdiTmJCTmJiUnteUndKUndm3mdaWidaWmdaWmdaYmJDUzcaGicaGTXFNDXk1azDZkg2zEqHnY ZXjczGCgLJuXEgyaYDDWrYjsP40Zq:kCz9cGZ:weDD2uB91ArD5GvaF5aMVp7bm:gVVh6XHZZkbgDD9jgtzscl odJIB7J8YU74ocjV8s0:sjbB:_0M13Fb8ZLefoE4snbMTr2zk4Hvg2Rqq4DCYRA8WCCFbDJ6vY1ytUoT2m5I4n 3FSX7TtPnza_62EsNoWbHBKyLwE9FBK2978tbWVLCOsB0DzXN4u0DAYwHnuoK7GeYu0aN2xp9rpMeUCuGaxc4b tNWeitGDz_Cvn_DO_lOdtL1bOr Update the existing object in database Update the existing object in databaseBEGIN DECLARE txt CLOB(2M); DECLARE txt CLOB(2M); SET txt = (SELECT DBMS_DDL.WRAP(TEXT) SET txt = (SELECT DBMS_DDL.WRAP(TEXT) FROM SYSCAT.ROUTINES FROM SYSCAT.ROUTINES WHERE ROUTINESCHEMA = 'XRAY' WHERE ROUTINESCHEMA = 'XRAY' AND ROUTINENAME = ‘SQUARE_SP'); AND ROUTINENAME = ‘SQUARE_SP'); EXECUTE IMMEDIATE txt; EXECUTE IMMEDIATE txt;END

How do we do it. 11 Step 5. Test Encrypted object. call xray.SQUARE_SP(10,?) --Output-- Value of output parameters Parameter Name : VAR_OUT Parameter Value : 100 Return Status = 0

Other Built in Modules. 12 DBMS_ALERT module The DBMS_ALERT module provides a set of procedures for registering for alerts, sending alerts, and receiving alerts. DBMS_ALERT module DBMS_JOB module The DBMS_JOB module provides procedures for the creation, scheduling, and managing of jobs. DBMS_JOB module DBMS_LOB module The DBMS_LOB module provides the capability to operate on large objects. DBMS_LOB module DBMS_OUTPUT module The DBMS_OUTPUT module provides a set of procedures for putting messages (lines of text) in a message buffer and getting messages from the message buffer. These procedures are useful during application debugging when you need to write messages to standard output. DBMS_OUTPUT module DBMS_PIPE module The DBMS_PIPE module provides a set of routines for sending messages through a pipe within or between sessions that are connected to databases within the same DB2 instance. DBMS_PIPE module DBMS_SQL module The DBMS_SQL module provides a set of procedures for executing dynamic SQL, and therefore supports various data manipulation language (DML) or data definition language (DDL) statement. DBMS_SQL module

Other Built in Modules. 13 DBMS_UTILITY module The DBMS_UTILITY module provides various utility programs. DBMS_UTILITY module MONREPORT module The MONREPORT module provides a set of procedures for retrieving a variety of monitoring data and generating text reports. MONREPORT module UTL_DIR module The UTL_DIR module provides a set of routines for maintaining directory aliases that are used with the UTL_FILE module. UTL_DIR module UTL_FILE module The UTL_FILE module provides a set of routines for reading from and writing to files on the database server's file system. UTL_FILE module UTL_MAIL module The UTL_MAIL module provides the capability to send . UTL_MAIL module UTL_SMTP module The UTL_SMTP module provides the capability to send over the Simple Mail Transfer Protocol (SMTP). UTL_SMTP module

Example of using DBMS_OUTPUT 14 CREATE PROCEDURE xray.proc1(IN_PARM VARCHAR(10) ) BEGIN CALL DBMS_OUTPUT.PUT( 'INPUT = ' ); CALL DBMS_OUTPUT.PUT_LINE(IN_PARM ); SET SERVEROUTPUT CALL xray.proc1( '10' SET SERVEROUTPUT CALL xray.proc1( '20' CALL proc1( '10' ) Return Status = 0 INPUT = 10 SET SERVEROUTPUT OFF DB20000I The SET SERVEROUTPUT command completed successfully. CALL proc1( '20' ) Return Status = 0

That’s all folks 15